Innovator Spotlight: SNYK – Cyber Defense Magazine


It’s time to give your development process a boost. We’ve all been there staring at a security issue, trying to figure out the best way to fix it without breaking everything else in the codebase. It’s not exactly the most fun part of the job, but it’s crucial. Wouldn’t it be nice if there were an easier way to handle these issues without all the guesswork?

Enter DeepCode AI Fix. This tool takes the hassle out of fixing security problems, making it as simple as a click of a button, and it does it right within your IDE. Ready to see how you can streamline your security fixes and save time? Let’s dive into how DeepCode AI Fix can make your life as a developer a whole lot easier.

“AI is a powerful tool for building software faster. By leveraging it in the right ways, you can also build secure software. Our Snyk DeepCodeAI Fix engine aims to help developers both build fast and stay secure.” – Randall Degges, Head of Developer & Security Relations

DeepCode AI Fix addresses the challenge of fixing security issues, which isn’t always straightforward, as developers need to understand how the code functions within the larger context of the codebase, identify the security issue, and determine the best way to remediate it. While Snyk Code offers detailed explanations of detected security issues and example fixes, developers previously had to find a way to implement these fixes on their own. DeepCode AI Fix solves this by enabling one-click, security-checked fixes within the IDE, allowing developers to fix security issues automatically, accurately, and seamlessly.

“I think the reality is that the only way to truly solve application security is by shifting it left or moving it earlier in that software development life cycle. You don’t want developers to slow down, and you don’t expect developers to be security experts. You need to embed security in, behind the scenes, allowing developers to continue to develop fast. The risks have never been greater to do that.” – Peter McKay, CEO

Despite 92% of developers acknowledging that AI coding tools generate insecure code suggestions at least some of the time, and 56% admitting that AI introduces coding issues frequently, an astonishing 76% still believe AI-generated code is more secure than human-written code.

Snyk Quick Fix code management

DeepCode AI Fix is an AI-powered feature that provides one-click, security-checked fixes within Snyk Code, our developer-focused, real-time SAST tool. It delivers fixes to security issues detected by Snyk Code in real-time, in-line, and within the IDE. This functionality enables developers to build securely and seamlessly by enabling them to fix security issues automatically. DeepCode AI Fix is powered by the LLM portion of our DeepCode AI engine, which consists of a combination of symbolic AI and machine learning, including our LLM.

The way it works is like so:

  • When a developer writes code in their IDE, Snyk’s real-time SAST tool analyzes the project using our symbolic AI-based machine learning model, which allows us to accurately detect real vulnerabilities in a codebase. This method is far more reliable than leveraging general LLMs which have far less accuracy than symbolic models, which are built by our security analysts in-house.
  • After our symbolic model has detected a vulnerability, we leverage generative AI (LLMs) to create proposed fixes for these vulnerabilities. We then run these proposed fixes through our symbolic model to ensure the issue has actually been resolved before applying it.

This approach leverages the strengths of multiple types of AI to deliver both accurate vulnerability detection and remediation, something that sets Snyk apart from other solutions and solves the hallucination problem that many generative solutions rely upon.

GitHub Copilot may suggest insecure code if an existing codebase contains security issues, and  if a codebase is already highly secure, Copilot is less likely to generate code with security issues. Snyk data reveals that the average commercial project has around 40 vulnerabilities in first-party code, with almost a third being high-severity issues. This is the playground in which AI generation tools can duplicate code by using these vulnerabilities as their context, potentially exacerbating security risks. Snyk can help organizations take several steps to mitigate the issue of duplicating existing security issues in code generated by AI coding assistants.

Innovator Spotlight: SNYK

It’s key to combine generative AI coding assistant tools with traditional AppSec techniques in order to mitigate new issues as they’re introduced. These techniques include manual code reviews, secure coding guidelines, training, and static analysis testing throughout the SDLC—particularly early on in places like the IDE where this code is generated. By integrating these practices, you can help ensure that your applications are more resilient to potential threats. Create your free Snyk account to start securing AI-generated code in minutes. Or book an expert demo to see how Snyk can fit your developer security use cases.

About the Author

Innovator Spotlight: DataBee™Pete Green, vCISO, Cybersecurity Consultant and Reporter for CDM.  Pete Green has over 20 years of experience in Information Technology related fields and is an accomplished practitioner of Information Security. He has held a variety of security operations positions including LAN / WLAN Engineer, Threat Analyst / Engineer, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Manager / Director of IT, CTO, CEO, and Virtual CISO. Pete has worked with clients in a wide variety of industries including federal, state and local government, financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality. Pete holds a Master of Computer Information Systems in Information Security from Boston University, an NSA / DHS National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA / CD), and a Master of Business Administration in Informatics.  Pete can be reached online at [email protected], @petegreen, https://linkedin.com/in/petegreen and at our company website https://www.cyberdefensemagazine.com.



Source link